Crash bug in FF 1.5.0.6

Hi Malware Fighters,

Researcher Michal Zalewski has uncovered more crash bugs in the Firefox browser. They affect the current version 1.5.0.6. Zalewski has released proof-of-concept attacks. See here:
http://lcamtuf.coredump.cx/ffoxdie.html (Click at your own risk with JavaScript enabled to crash your browser)

The vulnerability results in memory corruption. The cause is a race condition that causes mismanagement of memory, such as freeing the same area twice.

Definition of a race condition:
Irregular behavior of a program due to unexpected critical dependence on the relative timing of events. For example, two different processes may be simultaneously reading from and writing to the same file, resulting in data read not being up-to-date.

When Javascript timers or other browser events interrupt browser components while they are running, freed memory structures are potentially left in an unexpected state.

Such attacks can often lead to arbitrary code execution, but there is no proof that this one can.

Due to heavy code re-use in the Mozilla family, it’s possible that products other than Firefox are vulnerable.

So NoScript on, and not a lot can get wrong.
It is also found by me that XPCOM_CORE,DLL, NSPR4.DLL, PLCH.DLL & PLDS4.DLL of the components file have errors on opening through JAR50.DLL, at least found by dependency walker. If you have one wrong plug-in installed it can also crash this browser, to my knowledge Flock is less sensitive here.

polonus

Hello forum members,

Here is a discussion on the race condition (there are two types the general one and the more renowned data race condition), for specific issues with Mozilla read:
http://www.novell.com/linux/security/advisories/2006_48_seamonkey.html

Memory corruption with simultaneous events

 Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system.

H. D. Moore reported a testcase that was able to trigger a race
condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by the attacker.

 The vulnerability is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but potentially could be exploited to execute arbitrary code on a user's system when a malicious website is visited.

Coders should run a Data Race Detection Tool from here:
http://developers.sun.com/prodtech/cc/downloads/drdt/drdt_index.html

polonus

Would these affect Camino? it is also gecko based

Can’t resist… Welcome back Summoner Yuna… It was a long time without you in the forums :wink:

Hi Summoner Yuna,

Well the proof is in the pudding, click the link I gave in the top posting of this thread, with JavaScript enabled, and after 20 sec you will know if this will result in a crash.
As far as I could establish the error is in opening the file XPCOM_CORE.DLL, where there are some 73 imports) for the NSGetModule import tables. Another compicating factor is the delay through windows that makes the errors in opening, as you view it through dependency walker. This I established for the jar50.dll v 1.8.20060.7278 and in NS_Alloc_P.

polonus

Yes it crashed Camino in Mac OS X 10.3 on my iBook. so I guess it affects all gecko browsers

Hi tech, yes its ben over a year


Welcome back, Summoner Yuna. Do not be such a stranger so long. :slight_smile:


Hi Polonus,
I also have F.F 1.5.0.6. I clicked on the link you posted in your first post. I saw the pic of the woman, waited for 1 to 2 mins, no crash. Clicked on “More Pictures” link, saw some pictures of a cat and other stuff. Still no crash. This is with “no script” activated and then not activated. Not sure why my F.F. remained stable? Oh well. Thanks for the info. :slight_smile: By the way, my javascript WAS inabled in F.F. when doing this.

Hi Damian!

Interesting, i clicked the link and Flock also crashed(NoScript extension not installed) …

Hi polonus
Hi neal63
I got the same result as neal63 did.

same result here with ff 1.5.0.6 and noscript extension but java enabled. Nice pics but no crash :slight_smile:

I tried again with FF 1.5.0.6 (fresh install with deafult settings, no extensions installed and Javascript enabled) and it crashed after 2 seconds …

Hi guys!

Installed NoScript, tried again and it did it’s job very well no crash at all. When i enabled global scripts(or just scripts from that page) to be run it crashed again so that made me wonder about what some of you said here:

How did you “deactivate” NoScript extension Neal , Crofty and Cloussau?

Hi M just right click the No-Script Addon in tools/ extensions and select disable
I think thats how it can be done

Hi Peter!

I tried that as well… FF crashes here … It only passes the test with NoScript turned on(and blocking certain scripts on that site of course).

What results do the rest of you get?

EDIT: Installed NoScript in Flock and got the same results as with FF…

my ff died with scripts enabled as well :wink:

Hello Clousseau,

I don’t know what you experience, but after the last update I experience there is something wrong with the stability of FF, and that is why I use Flock, no problems with Flock with the full psecurity Christmas tree installed, as stable as a rock, Sir.
With the latest Flock, it could of course be due to a corrupt dll file, I find several start ups that Flock closes because of jar50.dll problem I have, and I suspect that is in conjunction with xpcom-core.dll (that has to sort out 73 imports), then the jar50.dll and the four other dll’s it calls are not in one and the same browser file as well (jar50.dll makes errors in nspr4.dll, dlc4.dll, plds4.dll, and the notorious xpcom_core.dll. See nxXPCOM_h, then the digital signature is not valid, and this SF does not contain a valid hash of the MANIFEST.MF file. For the mo I use flock or Opera. FF with NoScript is not crashing because of the bug mentiuoned in this thread.

polonus

Hi malware fighters,

I could solve the problems with jar50.dll and plc4.dll errors only through a new fresh install of Portable Flock latest build.
Sure the corruption was through SiteAdvisor, a Firefox bug (various race conditions).
Read about other bugs, and why FF goes 1, 2, 3 on installing a plug-in from here: http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs

Very serious situation, don’t we think so, folks. Also google apps can cause this browser to crash relentlessly,

polonus

Polonus,
Maybe it’s time to change over to IE7 RC1 ??? ;D

or Lynx … ;D ;D ;D